From owner-freebsd-current@FreeBSD.ORG Sun May 28 02:37:29 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DEAD16A7E3 for ; Sun, 28 May 2006 02:31:34 +0000 (UTC) (envelope-from josh.carroll@gmail.com) Received: from wx-out-0102.google.com (wx-out-0102.google.com [66.249.82.195]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E0B743D46 for ; Sun, 28 May 2006 02:31:33 +0000 (GMT) (envelope-from josh.carroll@gmail.com) Received: by wx-out-0102.google.com with SMTP id i31so820wxd for ; Sat, 27 May 2006 19:31:32 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=TlFkUESEy/Tp9+MMJXqpEYyaWCgtcNCNLyDws5GT/o3abQ/IL2Ty4iqT/69A4A03+pslcae6nHBkBqgh3FrPvxqFEMPdiAVr/FnI6pugh9tpxqPf4nYJQxublVZyVVgTtmlQLUygwOVsklnDTWoomnPfVTpzZ4P/WQHzErRuqLU= Received: by 10.70.71.18 with SMTP id t18mr1008932wxa; Sat, 27 May 2006 19:31:32 -0700 (PDT) Received: by 10.70.67.17 with HTTP; Sat, 27 May 2006 19:31:32 -0700 (PDT) Message-ID: <8cb6106e0605271931p55971b2bwdb311275ce21819@mail.gmail.com> Date: Sat, 27 May 2006 19:31:32 -0700 From: "Josh Carroll" Sender: josh.carroll@gmail.com To: "Jeremie Le Hen" In-Reply-To: <20060527172358.GC25953@obiwan.tataz.chchile.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060526183554.25d5cc0d@kan.dnsalias.net> <20060527172358.GC25953@obiwan.tataz.chchile.org> X-Google-Sender-Auth: 11698bc7444090d2 Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, Alexander Kabaev Subject: Re: [fbsd] Re: Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 May 2006 02:37:55 -0000 I agree that having the necessary hooks to enable/disable SSP would be nice. It would also be nice if this can be done for ports in addition to base. Josh On 5/27/06, Jeremie Le Hen wrote: > On Fri, May 26, 2006 at 06:35:54PM -0400, Alexander Kabaev wrote: > > On Fri, 26 May 2006 17:34:22 +0200 > > Jeremie Le Hen wrote: > > > > > Hi, > > > > > > first sorry for cross-posting but I thought this patch might interest > > > -CURRENT users as well as people concerned by security. > > > > > > I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step > > > further than it has been realized so far. > > > > > > It is available here : > > > http://tataz.chchile.org/~tataz/FreeBSD/SSP/ > > > > > > Everything is explained on the web page, but I will repeat some > > > informations here. The patchset is splitted in two parts to ease the > > > review of the patch. The -propolice patch is only the original > > > ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree. The > > > -freebsd patch contains the glue I have written to make things neat. > > > > > > The patch exists in both for CURRENT and RELENG_6. Both introduce a > > > new make.conf(5) (and src.conf(5)) knob to enable stack protection > > > on a per Makefile basis. It if of course possible to compile your > > > world with it. Please refer to the web page for more informations. > > > > > > The patch has been tested and works pretty well. My laptop and my > > > workstation at work are compiled with SSP : world, kernel and ports, > > > including X.org. > > > > > > I hope you will enjoy it. > > > Regards, > > > -- > > > Jeremie Le Hen > > > < jeremie at le-hen dot org >< ttz at chchile dot org > > > > _______________________________________________ > > > freebsd-security@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > > To unsubscribe, send any mail to > > > "freebsd-security-unsubscribe@freebsd.org" > > > > How does this compare to GCC 4.x mudflap feature? I do not plan to > > include Propolice patch into base system any time soon and will object > > anyone trying to do so due to future maintenance headaches this will > > inevitably create. GCC 4.1.1 import is in the works though and should b= e > > available shortly. > > I wasn't aware of the mudflap feature. I had a quick look at it > through [1], and it appears mudflap focuses on pointer dereferencement. > ProPolice focuses on stack-based buffer overflows, this is mostly the > same as StackGuard, which is presented in the paper. According to > Wikipedia [2], StackGuard isn't maintained any longuer, while > ProPolice has been merged into GCC 4.1. > > I understand you are working on GCC 4.1.1 import and that modifying > contributed sources will be a problem for you, though I must admit I > am not sure to understand the whole pain this creates. I will try to > maintain the patch on my own until GCC 4.1.1 import, so that users > will be able to make the best of ProPolice. > > BTW, given that GCC 4.1.1 will contain ProPolice bits, I think I will > be worth having some knobs to turn SSP on or off for the base system. > I have become pretty confident with the build system and problems > that libssp triggers. I would be glad to provide you some of the > glue I have written so far in my patch (the -freebsd part). > Please, let me know if you are interested in this. If your current > work is publicly accessible, I'd be glad if you gave me the URL. > > [1] http://gcc.fyxm.net/summit/2003/mudflap.pdf > [2] http://en.wikipedia.org/wiki/ProPolice > > Thank you. > Best regards, > -- > Jeremie Le Hen > < jeremie at le-hen dot org >< ttz at chchile dot org > > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org= " >